Date: Wed, 24 Apr 2002 01:19:03 +0900 From: office <office@ukky.net> To: www@FreeBSD.org Cc: office@ukky.net Subject: Cross-Site Scripting on your =?ISO-2022-JP?B?c2l0ZRskQiEhGyhCKHd3dy5mcmVlYnNkLg==?= =?ISO-2022-JP?B?b3JnKQ==?= Message-ID: <20020424011757.ABE7.OFFICE@ukky.net>
next in thread | raw e-mail | index | archive | help
My name is 'office', an Internet user, (not a hacker). I have found the vulnerability of cross-site scripting on your site, so report it. You can recognize the vulnerability with the URL http://www.FreeBSD.org/cgi/query-pr-summary.cgi?category=&severity=&priority=&class=&state=&sort=none"><script>alert("hello")</script>&text=test&responsible=&multitext=&originator=&release=and that prove that any (malicious) script code is possible as FreeBSD web page. For example, you can make a malicious URL, so that if the victim access to that URL, false login form to the FreeBSD appear, and the inputted information are send to other site. So the FreeBSD members' ID and password might be stolen with that malicious URL on www.freebsd.org. If you want to know more about corss-site scripting, you can refer http://www.cert.org/advisories/CA-2000-02.html This vulnerability in your site and your reaction for this report will be published by me adequately. Thanks, -- office office@ukky.net http://www.office.ac/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-www" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020424011757.ABE7.OFFICE>